mirror of https://github.com/catlog22/Claude-Code-Workflow.git synced 2026-02-13 02:41:50 +08:00

Files

catlog22 ef770ff29b Add comprehensive code review specifications and templates

- Introduced best practices requirements specification covering code quality, performance, maintainability, error handling, and documentation standards.
- Established quality standards with overall quality metrics and mandatory checks for security, code quality, performance, and maintainability.
- Created security requirements specification aligned with OWASP Top 10 and CWE Top 25, detailing checks and patterns for common vulnerabilities.
- Developed templates for documenting best practice findings, security findings, and generating reports, including structured markdown and JSON formats.
- Updated dependencies in the project, ensuring compatibility and stability.
- Added test files and README documentation for vector indexing tests.

2026-01-06 23:11:15 +08:00

4.7 KiB

Raw Blame History

Security Requirements Specification

OWASP Top 10 Coverage

A01:2021 - Broken Access Control

Checks:

Missing authorization checks on protected routes
Insecure direct object references (IDOR)
Path traversal vulnerabilities
Missing CSRF protection
Elevation of privilege

Patterns:

// Missing auth middleware
router.get('/admin/*', handler);  // ❌ No auth check

// Insecure direct object reference
router.get('/user/:id', async (req, res) => {
  const user = await User.findById(req.params.id);  // ❌ No ownership check
  res.json(user);
});

A02:2021 - Cryptographic Failures

Checks:

Sensitive data transmitted without encryption
Weak cryptographic algorithms (MD5, SHA1)
Hardcoded secrets/keys
Insecure random number generation

Patterns:

// Weak hashing
const hash = crypto.createHash('md5').update(password);  // ❌ MD5 is weak

// Hardcoded secret
const token = jwt.sign(payload, 'secret123');  // ❌ Hardcoded secret

A03:2021 - Injection

Checks:

SQL injection
NoSQL injection
Command injection
LDAP injection
XPath injection

Patterns:

// SQL injection
const query = `SELECT * FROM users WHERE id = ${userId}`;  // ❌

// Command injection
exec(`git clone ${userRepo}`);  // ❌

A04:2021 - Insecure Design

Checks:

Missing rate limiting
Lack of input validation
Business logic flaws
Missing security requirements

A05:2021 - Security Misconfiguration

Checks:

Default credentials
Overly permissive CORS
Verbose error messages
Unnecessary features enabled
Missing security headers

Patterns:

// Overly permissive CORS
app.use(cors({ origin: '*' }));  // ❌

// Verbose error
res.status(500).json({ error: err.stack });  // ❌

A06:2021 - Vulnerable and Outdated Components

Checks:

Dependencies with known vulnerabilities
Unmaintained dependencies
Using deprecated APIs

A07:2021 - Identification and Authentication Failures

Checks:

Weak password requirements
Permits brute force attacks
Exposed session IDs
Weak JWT implementation

Patterns:

// Weak bcrypt rounds
bcrypt.hash(password, 4);  // ❌ Too low (min: 10)

// Session ID in URL
res.redirect(`/dashboard?sessionId=${sessionId}`);  // ❌

A08:2021 - Software and Data Integrity Failures

Checks:

Insecure deserialization
Unsigned/unverified updates
CI/CD pipeline vulnerabilities

Patterns:

// Insecure deserialization
const obj = eval(userInput);  // ❌

// Pickle vulnerability (Python)
data = pickle.loads(untrusted_data)  # ❌

A09:2021 - Security Logging and Monitoring Failures

Checks:

Missing audit logs
Sensitive data in logs
Insufficient monitoring

Patterns:

// Password in logs
console.log(`Login attempt: ${username}:${password}`);  // ❌

A10:2021 - Server-Side Request Forgery (SSRF)

Checks:

Unvalidated URLs in requests
Internal network access
Cloud metadata exposure

Patterns:

// SSRF vulnerability
const response = await fetch(userProvidedUrl);  // ❌

CWE Top 25 Coverage

CWE-79: Cross-site Scripting (XSS)

Patterns:

element.innerHTML = userInput;  // ❌
document.write(userInput);  // ❌

CWE-89: SQL Injection

Patterns:

query = `SELECT * FROM users WHERE name = '${name}'`;  // ❌

CWE-20: Improper Input Validation

Checks:

Missing input sanitization
No input length limits
Unvalidated file uploads

CWE-78: OS Command Injection

Patterns:

exec(`ping ${userInput}`);  // ❌

CWE-190: Integer Overflow

Checks:

Large number operations without bounds checking
Array allocation with user-controlled size

Language-Specific Security Rules

TypeScript/JavaScript

Prototype pollution
eval() usage
Unsafe regex (ReDoS)
require() with dynamic input

Python

pickle vulnerabilities
yaml.unsafe_load()
SQL injection in SQLAlchemy
Command injection in subprocess

Java

Deserialization vulnerabilities
XXE in XML parsers
Path traversal
SQL injection in JDBC

Go

Race conditions
SQL injection
Path traversal
Weak cryptography

Severity Classification

Critical

Remote code execution
SQL injection with write access
Authentication bypass
Hardcoded credentials in production

High

XSS in sensitive contexts
Missing authorization checks
Sensitive data exposure
Insecure cryptography

Medium

Missing rate limiting
Weak password policy
Security misconfiguration
Information disclosure

Low

Missing security headers
Verbose error messages
Outdated dependencies (no known exploits)

4.7 KiB Raw Blame History

Security Requirements Specification

OWASP Top 10 Coverage

A01:2021 - Broken Access Control

A02:2021 - Cryptographic Failures

A03:2021 - Injection

A04:2021 - Insecure Design

A05:2021 - Security Misconfiguration

A06:2021 - Vulnerable and Outdated Components

A07:2021 - Identification and Authentication Failures

A08:2021 - Software and Data Integrity Failures

A09:2021 - Security Logging and Monitoring Failures

A10:2021 - Server-Side Request Forgery (SSRF)

CWE Top 25 Coverage

CWE-79: Cross-site Scripting (XSS)

CWE-89: SQL Injection

CWE-20: Improper Input Validation

CWE-78: OS Command Injection

CWE-190: Integer Overflow

Language-Specific Security Rules

TypeScript/JavaScript

Python

Java

Go

Severity Classification

Critical

High

Medium

Low

4.7 KiB

Raw Blame History